How to create a VPN server with Microsoft Azure

Learn how to create a personal VPN server using Microsoft Azure and Meshnet.


Microsoft Azure is a cloud computing platform that provides a range of options for people looking to host their services on the cloud. Azure's extensive features and benefits make it a great choice to host a VPN server.

With Microsoft Azure, you can easily create and manage various virtual machines (VMs). Its global network of data centers ensures fast and reliable access to your services from anywhere in the world. Additionally, Azure has a flexible pricing model, offering a free subscription and allowing you to pay only for the resources you use once the free trial expires.

By using Meshnet in tandem with Azure, you can turn a simple VM into a secure VPN server without any advanced configuration.

This guide showcases how you can make a VPN server from a VM hosted by Microsoft Azure using Meshnet’s traffic routing feature.


Be aware that by setting up your own VPN server, you increase your online privacy but not to the same extent as when connecting to a regular VPN server provided by NordVPN, which follows a strict no-logs policy.

Before you begin

To follow this guide, you need an active Microsoft Azure account. You can sign up for free on the Azure website.

Deploy a virtual machine on Microsoft Azure

First, you need to create a VM on Azure. While this guide focuses on setting up an Ubuntu VM, Azure allows you to create Windows VMs as well.

Method 1: Creating a VM using Azure Portal

  1. Log in to your Azure account.

  2. From your Azure portal, click Virtual machines.

  3. Click Create and select Azure virtual machine.

  4. In the Instance details section, name your VM, select its region, and choose the operating system (for example, Ubuntu 22.04 LTS).

  5. Under Administrator account, select SSH public key authentication or create a password and choose the name of the administrator user of the VM.

  6. Click Review + create.

  7. Click Create.


If you chose the SSH key authentication type, you will receive a Generate new key pair message after clicking the Create button. Select the Download private key and create resource option to download the private key file.

Method 2: Creating a VM using Azure CLI

Another method of managing Azure resources is the Azure Command-line interface (CLI). The Azure CLI allows you to create, deploy, and manage your Azure resources without using the internet browser. This method is highly beneficial for automation or server environments.

Install Azure CLI

To interact with Azure using CLI, you need to install the Azure CLI application on your device. Installation instructions for all compatible operating systems can be found on the Azure CLI documentation page.

Log in to Azure

Upon installing Azure CLI, log in to your Azure account by taking these steps:

  1. Open PowerShell (on Windows) or Terminal (on macOS and Linux).

  2. Run the following command to start the login process:

    az login

  3. Open the generated URL in an internet browser.

  4. Log in to your Azure account.

  5. Authenticate using the code provided in your CLI window.

Create your resource group

Azure uses resource groups to manage your VMs and their related resources. To create a resource group for your VPN server:

  1. Open PowerShell.

  2. Define the environmental variables for your VM by running the following commands:



    • <groupName> is a custom name for your resource group.

    • <location> is the region where your VM will be located.

      • You can check region names with the az account list-locations -o table command.

    • <vmName> is a custom name for your VM.

    • <imageName> is the name of the operating system image for your VM.

    • <username> is the name of the user account for your VM. Example

  3. Create the resource group with this command:

    az group create --name $env:RESOURCE_GROUP_NAME --location $env:LOCATION


The environmental variables will be reset if you close the PowerShell window.

Deploy the VM

With the environment variables defined and the resource group created, you can deploy your VM in Azure.

In PowerShell, execute the following command to create the virtual machine in Azure:

az vm create `
  --resource-group $env:RESOURCE_GROUP_NAME `
  --name $env:VM_NAME `
  --image $env:VM_IMAGE `
  --admin-username $env:ADMIN_USERNAME `
  --generate-ssh-keys `
  --public-ip-sku Standard

This command automatically generates an SSH key pair for your VM and places it in the default SSH directory (~/.ssh). Once the VM is created, you will see an output of the VM's information.

Access the virtual machine

Once your VM is deployed, you can access it over SSH. The way to access the VM depends on which authentication method you chose while creating it.

Changing permissions for the private key

To use the SSH key for authentication, you need to set the private key’s permissions to read-only.


  1. Open PowerShell.

  2. Run the following three commands to apply the permission change, substituting </path/to/private/key> with the path to the downloaded private key:

    icacls.exe </path/to/private/key> /reset
    icacls.exe </path/to/private/key> /grant:r "$($env:username):(r)"
    icacls.exe </path/to/private/key> /inheritance:r


macOS and Linux

  1. Open Terminal.

  2. Run the following command to apply the permission change, substituting </path/to/private/key> with the path to the downloaded private key:

    chmod 400 </path/to/private/key>


    chmod 400 /Users/ventura/.ssh/UbuntuVPNServer_key.pem

Connecting over SSH

  1. Locate the public IP address of your VM.

    • If you created the VM using Azure CLI, you can run one of the following commands: For Windows in PowerShell:

      az vm show -d -g $env:RESOURCE_GROUP_NAME -n $env:VM_NAME --query publicIps -o tsv

      For macOS and Linux in Terminal:

      az vm show -d -g $RESOURCE_GROUP_NAME -n $VM_NAME --query publicIps -o tsv

  2. Run the ssh -i </path/to/private/key> <username>@<server> command in PowerShell or Terminal, where:

    • </path/to/private/key> is the location of the downloaded SSH private key.

    • <username> is the name of the administrator user of the VM.

    • <server> is the VM’s public IP address.


      ssh -i C:\Users\secretmeerkat\.ssh\UbuntuVPNServer_key.pem meerkat@

  3. Type in yes and press Enter to confirm the connection.

You should now be connected to your Azure VM.

Install NordVPN on the virtual machine

Follow these steps to install NordVPN on your virtual server:

  1. Download and install the NordVPN Linux client by running the command below.

    sh <(wget -qO -

  2. Log in to your NordVPN account.

Log in to NordVPN

You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:

  • By running the nordvpn login command with the --token flag

  • By running the nordvpn login command with the --callback flag

Instructions for both methods are outlined below.

Log in using a token
  1. On any device, log in to your Nord Account dashboard and select the Meshnet (by NordVPN) card.

  2. Under Manual setup, select Set up NordVPN manually.

  3. Enter the verification code sent to your email address.

  4. Under Access token, click Generate new token.

  5. In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select Generate token.

  6. Select Copy and close.

  7. On your VM, run the nordvpn login --token <your_token> command, replacing <your_token> with the copied token. Example

    nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b

You should now see a welcome message.

Log in using a URL
  1. Run the following command:

    nordvpn login

  2. Open the provided link on any device in your browser.

  3. Complete the login procedure.

  4. Right-click the Continue button and select Copy link address.

  5. Run the nordvpn login --callback "<URL>" command, replacing <URL> with the previously copied link address. Example

    nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"

You should now see a welcome message.


To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token command. Otherwise, your token will be revoked.


If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER. Then, reboot your instance and log back in.

Enable Meshnet

Upon logging in, you can enable Meshnet on Linux by typing this command:

nordvpn set meshnet on

To check your server’s Nord name and the Meshnet IP address, enter the following command:

nordvpn meshnet peer list


You will also see all of your Meshnet peer devices with their corresponding permissions.

Grant the traffic routing permission

To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:

nordvpn meshnet peer routing allow <device>


nordvpn meshnet peer routing allow secret.meerkat-andes.nord

For more information, see the Traffic routing permissions page.

Connect to your VPN server

With Meshnet enabled and the permissions granted, your peer devices should now be able to connect to the server. To connect, start routing traffic from a client device through the VM, which you can find in the list of your Meshnet peer devices.

For specific instructions, see the Routing traffic in Meshnet article.

Your IP address should now be the same as the virtual machine’s. This way, your real public IP address is protected, and the websites you visit will see the location of your VPN server instead of your actual device.

Last updated

© 2024 Nord Security. All Rights Reserved.